b'September 30, 2002\n\nCHARLES E. BRAVO\nSENIOR VICE PRESIDENT, CHIEF TECHNOLOGY OFFICER\n\nSUBJECT: Audit Report \xe2\x80\x93Team Enterprise Initiative\n         (Report Number EM-AR-02-014)\n\nThis report presents the results of our review of the Team Enterprise Initiative (Project\nNumber 02BG011EM000). The self-initiated review was part of an on-going series of\naudits to review systems during the systems development life cycle process. The\nobjectives of our audit were to: (1) assess the adequacy of Team Enterprise project\ndefinition and planning, (2) evaluate whether Postal Service management clearly\ndefined requirements for applications supporting Team Enterprise, and (3) assess the\nadequacy of the system development process for applications supporting Team\nEnterprise.\n\nThe audit disclosed that functional requirements for applications designed to support\nTeam Enterprise were adequately defined. However, the Team Enterprise initiative was\nnot adequately defined. In addition, for one system under Team Enterprise, the Entry\nInformation System, system security requirements were not always followed, and the\napproved systems development life cycle methodology was not always utilized. As a\nresult, the Postal Service has no assurance that all team members understood the\npurpose and goals of Team Enterprise; application developers relied upon incomplete\ndocumentation and could have designed security requirements for the wrong level of\nsensitivity; and there is no assurance that the development of the Entry Information\nSystem will meet all requirements, ensure participation by all stakeholders, and control\ncosts. Management\xe2\x80\x99s comments and our evaluation of these comments are included in\nthis report.\n\nThis report made four recommendations addressing these issues. Management agreed\nwith two of the recommendations and has taken corrective actions addressing those\nissues identified in the report. Management disagreed with the first finding and a\nportion of the second finding and the related recommendations; however, additional\ninformation provided by management as well as actions taken subsequent to the audit\naddress the concerns raised in this report.\n\x0cWe appreciate the cooperation and courtesies provided by your staff during the audit. If\nyou have any questions or need additional information, please contact Robert J. Batta,\ndirector, eCommerce and Marketing, at (703) 248-2100 or me at (703) 248-2300.\n\n\n\nRonald D. Merryman\nActing, Assistant Inspector General\n for eBusiness\n\nAttachment\n\ncc: Carole D. Koehler\n    George W. Wright\n    James L. Golden\n    Susan M. Duchek\n\x0cTeam Enterprise Initiative                                 EM-AR-02-014\n\n\n\n                             TABLE OF CONTENTS\n Executive Summary                                               i\n\n Part I\n\n Introduction                                                   1\n\n     Background                                                 1\n     Objectives, Scope, and Methodology                         2\n     Prior Audit Coverage                                       3\n\n Part II\n\n Audit Results                                                  4\n\n     Project Definition                                         4\n     Recommendation                                             5\n     Management\xe2\x80\x99s Comments                                      5\n     Evaluation of Management\xe2\x80\x99s Comments                        5\n\n     Security Requirements                                      6\n     Recommendations                                            7\n     Management\xe2\x80\x99s Comments                                      7\n     Evaluation of Management\xe2\x80\x99s Comments                        7\n\n     System Development Process                                 9\n     Audit Comment                                              9\n\n Appendix. Management\xe2\x80\x99s Comments                               11\n\n\n\n\n                                  Restricted Information\n\x0cTeam Enterprise Initiative                                                                         EM-AR-02-014\n\n\n\n                                      EXECUTIVE SUMMARY\n    Introduction                  There are five major stages in the systems development life\n                                  cycle.1 Each stage has several process points that need to\n                                  be accomplished to develop a successful project. This\n                                  report presents our self-initiated audit of the Team\n                                  Enterprise initiative and associated software development.\n                                  This is the sixth report in a series of Office of Inspector\n                                  General (OIG) audits of Postal Service initiatives in the early\n                                  phases of development. By early involvement in the\n                                  process, the OIG can make recommendations to resolve\n                                  issues in development prior to system implementation.\n                                  Studies indicated that it is up to 100 times more costly to\n                                  make changes after a system is placed into production. Our\n                                  objectives were to: (1) assess the adequacy of Team\n                                  Enterprise project definition and planning, (2) evaluate\n                                  whether Postal Service management clearly defined\n                                  requirements for applications supporting Team Enterprise,\n                                  and (3) assess the adequacy of the systems development\n                                  process for applications supporting Team Enterprise.\n\n    Results in Brief              Our review found that functional requirements for\n                                  applications designed to support Team Enterprise were\n                                  adequately defined. However, the Team Enterprise\n                                  initiative was not adequately defined. In addition, for one\n                                  system under Team Enterprise, the Entry Information\n                                  System, system security requirements were not always\n                                  followed, and the approved systems development life cycle\n                                  methodology was not always utilized.\n\n                                  These conditions occurred because Postal Service\n                                  management believed they had adequately defined the\n                                  initiative, however, the definition adopted by the project\n                                  team and provided in program documentation was vague,\n                                  subject to interpretation, and lacked specific goals for the\n                                  initiative. In addition, Postal Service management did not\n                                  realize they had not completed the business data section of\n                                  the business impact assessment.\n\n                                  As a result, the Postal Service has no assurance that all\n                                  team members understood the purpose and goals of Team\n                                  Enterprise. Furthermore, in the case of the Entry\n                                  Information System, application developers relied upon\n                                  incomplete documentation and could have designed\n\n1\n A systems development life cycle is a logical process by which systems analysts, software engineers, programmers,\nand end users build information systems and computer applications to solve business problems and needs.\n\n                                                        i\n                                             Restricted Information\n\x0cTeam Enterprise Initiative                                                     EM-AR-02-014\n\n\n\n                             security requirements for the wrong level of sensitivity; and\n                             there is no assurance that the development will meet all\n                             requirements, ensure participation by key stakeholders, and\n                             control costs.\n\n Summary of                  We made four recommendations to correct identified\n Recommendations             deficiencies that include ensuring: the scope of Team\n                             Enterprise and associated goals are clearly defined and\n                             documented, all security requirements are followed, and\n                             system testing is completed. We did not make a specific\n                             recommendation to address the use of an approved\n                             systems development life cycle methodology, because\n                             Postal Service management issued policy during the audit\n                             to address this concern.\n\n Summary of                  Management disagreed with our first finding, a portion of the\n Management\xe2\x80\x99s                second finding, and the associated recommendations. The\n Comments                    Postal Service believed Team Enterprise was adequately\n                             defined and that the executive sponsor had been appointed.\n                             Management agreed with the remaining findings and\n                             recommendations and has implemented corrective actions\n                             to address those recommendations. Management\xe2\x80\x99s\n                             comments, in their entirety, are included in the appendix of\n                             this report.\n\n Overall Evaluation of       We disagree with management\xe2\x80\x99s comments to the first\n Management\xe2\x80\x99s                finding and part of the second finding. During audit\n Comments                    fieldwork, management provided inconsistent definitions for\n                             Team Enterprise and could not provide details of the\n                             programs. Also, the letter referenced in managements\n                             comments neither specified that the manager was\n                             designated as the executive sponsor, nor did it specify the\n                             requirements of AS-805.\n\n                             However, information provided by management\n                             subsequent to the audit addressed the concerns over these\n                             issues. Thus, management\xe2\x80\x99s comments and additional\n                             actions are responsive to satisfy the intent of our\n                             recommendations.\n\n\n\n\n                                                ii\n                                     Restricted Information\n\x0cTeam Enterprise Initiative                                                                              EM-AR-02-014\n\n\n\n                                         INTRODUCTION\n    Background                      On May 18, 2001, senior Postal Service officials2 initiated a\n                                    work team for the purpose of developing a fast track\n                                    method, named Team Enterprise, to improve mail tracking\n                                    to support service measurement. A cross-functional team\n                                    was established to develop the approach for implementation\n                                    by October 1, 2002. Team Enterprise is not a program in\n                                    itself but rather an umbrella that covers a multitude of\n                                    programs (see diagram below).\n\n                                    At present, the Team Enterprise work team has developed a\n                                    new application, Entry Information System (formerly called\n                                    Start-The-Clock). The purpose of this system is to capture\n                                    the date and time the Postal Service takes possession of\n                                    mailings from business customers.\n\n                                                          Team Enterprise Structure\n\n\n\n\n                                    When our review took place, the Entry Information System\n                                    was in the test phase and was placed in production on\n                                    March 31, 2002. We reviewed both the requirements and\n                                    testing phases of the program, as well as overall program\n                                    management.\n\n\n\n\n2\n Senior Postal Service officials include the postmaster general, chief operating officer and executive vice\npresident, and chief financial officer and executive vice president.\n\n                                                      1\n                                           Restricted Information\n\x0cTeam Enterprise Initiative                                                    EM-AR-02-014\n\n\n\n\n Objectives, Scope,          The objectives of our review of the Team Enterprise\n and Methodology             initiative were to: (1) assess the adequacy of Team\n                             Enterprise project definition and planning, (2) evaluate\n                             whether the Postal Service clearly defined requirements for\n                             applications supporting the Team Enterprise initiative, and\n                             (3) assess the adequacy of the systems development\n                             process for applications supporting Team Enterprise.\n\n                             To accomplish our objectives, we interviewed key project\n                             personnel, including the executive sponsor, portfolio\n                             manager, program manager, contracting officer\n                             representative, and the information system security\n                             representative. In addition, we interviewed operations\n                             representatives under Postal Service Mailing Operations\n                             staff \xe2\x80\x93 area coordinators. We also reviewed key\n                             documentation related to requirements, planning, and\n                             program management.\n\n                             This audit was conducted from February through\n                             September 2002 in accordance with generally accepted\n                             government auditing standards and included tests of\n                             internal controls as were considered necessary under the\n                             circumstances. We did not rely on computer-generated\n\n\n\n\n                                            2\n                                 Restricted Information\n\x0cTeam Enterprise Initiative                                                       EM-AR-02-014\n\n\n\n\n                             data to accomplish the objectives of this audit. We\n                             discussed our conclusions and observations with\n                             appropriate management officials and included their\n                             comments, where appropriate.\n\n Prior Audit Coverage        We did not identify any prior audits or reviews related to the\n                             objective of this audit.\n\n\n\n\n                                             3\n                                  Restricted Information\n\x0cTeam Enterprise Initiative                                                       EM-AR-02-014\n\n\n\n                                AUDIT RESULTS\n Project Definition          Postal Service management did not clearly define the\n                             purpose of the Team Enterprise initiative. Specifically,\n                             project documentation contained conflicting definitions and\n                             discussions with Postal Service management have yielded\n                             project definitions different from those contained in program\n                             documentation.\n\n                             Industry best practices recommend that all large corporate\n                             initiatives be clearly defined and planned. This includes\n                             definition of goals, as well as tasks to accomplish these\n                             goals.\n\n                             The letter initiating Team Enterprise stated the purpose was\n                             to establish a working team tasked to develop a fast track\n                             method to improve mail tracking to support service\n                             measurement, with a focus on Standard A letters/flats,\n                             Parcel Select, and First-Class Priority Mail. However,\n                             project documentation defined Team Enterprise as a\n                             strategic initiative with the purpose to design, plan, and\n                             support the deployment of cross-functional initiatives that\n                             bring value to the Postal Service and its business mailers. It\n                             further indicated these initiatives would include both tactical\n                             and strategic efforts focusing on end-to-end accountability,\n                             service measurement and performance management, mail\n                             coding and tracking, collaborative planning and downstream\n                             notification, and the enabling of revenue assurance and\n                             auditing.\n\n                             Further, during discussions with Postal Service\n                             management, they stated Team Enterprise was not a\n                             strategic initiative with specific goals, but rather a\n                             mechanism to work cross-functional issues. Additionally,\n                             although Postal Service management initially stated the\n                             number of programs included in the Team Enterprise\n                             initiative was 9 to 11, when asked to detail those programs,\n                             they stated the number was unknown and they would work\n                             issues as they were identified to the team.\n\n                             Postal Service management believed they had adequately\n                             defined the initiative; however, the definition adopted by the\n                             project team and provided in program documentation was\n                             vague, subject to interpretation, and lacked specific goals for\n                             the initiative.\n\n\n\n                                             4\n                                  Restricted Information\n\x0cTeam Enterprise Initiative                                                       EM-AR-02-014\n\n\n\n                             Clear project definition is necessary to guide the initiative,\n                             document approval from executive sponsors, and ensure all\n                             team members understand the purpose and goals of the\n                             project. It also provides the basis for project planning, and\n                             controls the scope of work to be performed.\n\n Recommendation              We recommend the senior vice president, chief technology\n                             officer, ensure:\n\n                                1. Program management clearly define and document\n                                   the purpose and goals of the Team Enterprise\n                                   initiative.\n\n Management\xe2\x80\x99s                Management disagreed with our finding and\n Comments                    recommendation. Management commented that they\n                             believed the goals and purposes of Team Enterprise are\n                             adequately defined and documented. Along with their\n                             comments management provided a power point\n                             presentation that detailed the ten programs currently being\n                             worked under Team Enterprise and stated that as business\n                             needs are identified and budgets are refined, the number of\n                             programs may change. They concluded this approach\n                             accounts for the difference in the number of programs under\n                             Team Enterprise at any given time.\n\n Evaluation of               We do not agree that management clearly defined and\n Management\xe2\x80\x99s                documented the purpose and goals of Team Enterprise\n Comments                    during the audit but management provided additional\n                             information that adequately addressed the issues we\n                             identified. Consequently, management\xe2\x80\x99s actions should\n                             correct the problem or resolve the issues identified in this\n                             report.\n\n\n\n\n                                             5\n                                  Restricted Information\n\x0cTeam Enterprise Initiative                                                      EM-AR-02-014\n\n\n\n\n Security                    Postal Service management did not ensure all Handbook\n Requirements                AS-805, Information Security, requirements for the Entry\n                             Information System were fully completed.\n\n                             Handbook AS-805, Information Security, requires the\n                             completion of a business impact assessment for all new\n                             applications (see Phase 1, definition below). This\n                             assessment should be completed by the executive sponsor\n                             or a representative designated in writing, and is used to\n                             determine the sensitivity and criticality of the system. This\n                             determination drives security requirements for the system.\n\n\n\n\n                             The approved business impact assessment did not include\n                             an assessment of the business data being used by the\n\n\n                                             6\n                                  Restricted Information\n\x0cTeam Enterprise Initiative                                                     EM-AR-02-014\n\n\n\n                             system and was not signed by the executive sponsor or their\n                             designated representative. Specifically, a review of the\n                             database specifications indicates business-mailing data\n                             such as mailers job numbers, presort level, mailers PERMIT\n                             number, and number of pieces in the current mailing will be\n                             stored by the system. However, the section of the business\n                             impact assessment used to classify business data was left\n                             blank.\n\n                             This occurred because Postal Service management did not\n                             realize they had not completed the business data section of\n                             the business impact assessment. They stated it was an\n                             oversight and they had held discussions regarding the\n                             classification of the data. However, they did not document\n                             their discussion; therefore, we could not validate that a\n                             classification of the business data had occurred.\n\n                             As a result, application developers relied upon incomplete\n                             documentation, and could have designed security\n                             requirements for the wrong level of sensitivity.\n\n Recommendation              We recommend the senior vice president, chief technology\n                             officer, ensure:\n\n                                2. The executive sponsor designates in writing, a\n                                   representative as required by Handbook AS-805.\n\n Management\xe2\x80\x99s                Management disagreed with recommendation 2 and the\n Comments                    related finding. Management stated that a letter sent in\n                             May 2001, from the vice president of Information Platform,\n                             designated the manager, Sales and Marketing Portfolio, the\n                             executive sponsor. Management\xe2\x80\x99s comments further stated\n                             that this person was the business manager and responsible\n                             for items referenced in 3-2-1 of AS-805.\n\n Evaluation of               Subsequent to our audit work, management provided\n Management\xe2\x80\x99s                additional documentation to show that an executive sponsor\n Comments                    was appointed and project documentation was modified.\n\n                             Management\xe2\x80\x99s actions taken should correct the problem or\n                             resolve the issues identified in this report.\n\n\n\n\n                                             7\n                                  Restricted Information\n\x0cTeam Enterprise Initiative                                                      EM-AR-02-014\n\n\n\n\n Recommendations             We recommend the senior vice president, chief technology\n                             officer, ensure:\n\n                                3. The executive sponsor, or their designated\n                                   representative, completes the business impact\n                                   assessment to determine the sensitivity level of the\n                                   business data.\n\n                                4. Program management determines the appropriate\n                                   security requirements for the Entry Information\n                                   System based upon the classification of business\n                                   data and determine if these requirements have been\n                                   met.\n\n Management\xe2\x80\x99s                Management agreed with recommendations 3 and 4, and\n Comments                    reported they took corrective action in July and April 2002,\n                             respectively.\n\n Evaluation of               In OIG\xe2\x80\x99s opinion, management\xe2\x80\x99s actions taken for\n Management\xe2\x80\x99s                recommendations 3, and 4 should correct the problem or\n Comments                    resolve the issues identified in this report.\n\n\n\n\n                                             8\n                                  Restricted Information\n\x0cTeam Enterprise Initiative                                                        EM-AR-02-014\n\n\n\n\n System Development          Postal Service management did not always follow an\n Process                     approved system development life cycle methodology for the\n                             Entry Information System.\n\n                             Industry best practices recommend sound systems\n                             development life cycle methodologies should be followed for\n                             all application development efforts. Additionally, Handbook\n                             AS-805, Information Security, requires an approved system\n                             development life cycle methodology be followed for all\n                             system development efforts.\n\n                             For the Entry Information System, key personnel were not\n                             always assigned to the project in writing, key deliverables\n                             were not always produced, approvals of key deliverables\n                             were not always documented, and version control of key\n                             deliverables did not preserve the dates documents were\n                             prepared and/or approved. For example, the information\n                             system security representative was not appointed in writing\n                             and the business needs statement, program definition\n                             document, program charter, program plan, and risk\n                             management plan were not produced. Additionally, there\n                             was no documented evidence of formal approvals of the\n                             business case document, and users requirements\n                             document. Further, the business case analysis did not have\n                             a fixed date for the document; instead, the date of the\n                             document changed each time it was printed.\n\n                             The system development process was not always followed\n                             because program management was attempting to pilot the\n                             draft integrated solutions methodology after the systems\n                             development effort had begun. Additionally, program\n                             management believed they could rely upon the contractor\xe2\x80\x99s\n                             proprietary methodology. However, a review of contractual\n                             documents disclosed the contractor was not required to\n                             produce all deliverables required in the integrated solutions\n                             methodology.\n\n                             Sound systems development processes are essential to\n                             ensure systems in development will meet all requirements,\n                             ensure participation by all stakeholders, and control costs.\n\n Audit Comment               Subsequent to the initiation of the Team Enterprise audit,\n                             the integrated solutions methodology was completed and\n                             the chief financial officer and chief technology officer, signed\n\n\n                                             9\n                                  Restricted Information\n\x0cTeam Enterprise Initiative                                                       EM-AR-02-014\n\n\n\n\n                             a policy requiring the use of the integrated solutions\n                             methodology. To allow development teams time to\n                             implement this new policy, we are not making any\n                             recommendations at this time.\n\n\n\n\n                                            10\n                                  Restricted Information\n\x0cTeam Enterprise Initiative                            EM-AR-02-014\n\n\n\n                 APPENDIX. MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                       11\n                             Restricted Information\n\x0cTeam Enterprise Initiative                            EM-AR-02-014\n\n\n\n\n                                       12\n                             Restricted Information\n\x0cTeam Enterprise Initiative                            EM-AR-02-014\n\n\n\n\n                                       13\n                             Restricted Information\n\x0cTeam Enterprise Initiative                            EM-AR-02-014\n\n\n\n\n                                       14\n                             Restricted Information\n\x0cTeam Enterprise Initiative                            EM-AR-02-014\n\n\n\n\n                                       15\n                             Restricted Information\n\x0cTeam Enterprise Initiative                            EM-AR-02-014\n\n\n\n\n                                       16\n                             Restricted Information\n\x0cTeam Enterprise Initiative                            EM-AR-02-014\n\n\n\n\n                                       17\n                             Restricted Information\n\x0c'